From ca247f6f5821415b8c3437916e473785d6fd6403 Mon Sep 17 00:00:00 2001 From: Gian Demarmels Date: Mon, 27 Dec 2021 16:21:26 +0100 Subject: fixed CS signatures and cleanup/refactoring --- src/include/taler_crypto_lib.h | 89 +++++++----------------------------------- src/util/crypto.c | 12 +++--- src/util/denom.c | 49 ++++++----------------- src/util/test_crypto.c | 24 +++++------- 4 files changed, 40 insertions(+), 134 deletions(-) (limited to 'src') diff --git a/src/include/taler_crypto_lib.h b/src/include/taler_crypto_lib.h index 87e38896e..3de843a22 100644 --- a/src/include/taler_crypto_lib.h +++ b/src/include/taler_crypto_lib.h @@ -353,12 +353,12 @@ struct TALER_CoinSpendSignatureP /** * @brief Type of blinding keys for Taler. - * must be 32 bytes + * must be 32 bytes (DB) */ union TALER_DenominationBlindingKeyP { /** - * Clause Schnorr Signatures have 2 blinding secrets, each containing two unpredictable values. + * Clause Schnorr Signatures have 2 blinding secrets, each containing two unpredictable values. (must be 32 bytes) */ struct GNUNET_CRYPTO_CsNonce nonce; @@ -618,10 +618,9 @@ struct TALER_DenominationSignature }; /** - * The Sign Answer for Clause B lind Schnorr signature. + * The Sign Answer for Clause Blind Schnorr signature. * The sign operation returns a parameter @param b and the signature * scalar @param s_scalar. - * The function does not return the whole signature, due to that is only the blinded s_scalar. */ struct TALER_BlindedDenominationCsSignAnswer { @@ -833,57 +832,6 @@ struct TALER_DenominationCsPrivateR struct GNUNET_CRYPTO_CsRSecret r[2]; }; -/** - * @brief RSA Parameters to create blinded messages - * - */ -struct TALER_DenominationBlindMessageRsaParams -{ - /** - * blinded message to be signed - * Note: is malloc()'ed! - */ - void **coin_ev; - - /** - * size of the blinded message to be signed - */ - size_t *coin_ev_size; -}; - - -/** - * @brief CS Parameters to create blinded messages - * - */ -struct TALER_DenominationBlindMessageCsParams -{ - -}; - -/** - * @brief Type including Parameters to create blinded message - * - */ -struct TALER_DenominationBlindMessageParams -{ - /** - * Details, depending on @e cipher. - */ - union - { - /** - * If we use #TALER_DENOMINATION_CS in @a cipher. - */ - struct TALER_DenominationBlindMessageCsParams cs_blind_msg_params; - - /** - * If we use #TALER_DENOMINATION_RSA in @a cipher. - */ - struct TALER_DenominationBlindMessageRsaParams rsa_blind_msg_params; - - } details; -}; /** * @brief Public information about a coin (including the public key @@ -968,6 +916,9 @@ TALER_cs_withdraw_nonce_derive (const struct * Create a blinding secret @a bs for @a cipher. * * @param[out] bs blinding secret to initialize + * @param cipher algorithm to use (CS or RSA) + * @param ... If CS signature, R_0 and R_1 (TALER_DenominationCsPublicR) + * and the coins private key is needed */ void TALER_blinding_secret_create (union TALER_DenominationBlindingKeyP *bs, @@ -1013,20 +964,6 @@ void TALER_denom_sig_free (struct TALER_DenominationSignature *denom_sig); -/** - * Function for CS signatures to derive the secret r_0 and r_1 - * - * @param nonce withdraw nonce from a client - * @param denom_priv denomination privkey as long-term secret - * @param r the resulting r_0 and r_1 - * @return enum GNUNET_GenericReturnValue, returns SYSERR when denom key has wrong type - */ -enum GNUNET_GenericReturnValue -TALER_denom_cs_derive_r_secret (const struct TALER_WithdrawNonce *nonce, - const struct - TALER_DenominationPrivateKey *denom_priv, - struct TALER_DenominationCsPrivateR *r); - /** * @brief Function for CS signatures to derive public R_0 and R_1 * @@ -1053,6 +990,7 @@ TALER_denom_cs_derive_r_public (const struct TALER_WithdrawNonce *nonce, * @param[out] c_hash resulting hashed coin * @param[out] coin_ev blinded coin to submit * @param[out] coin_ev_size number of bytes in @a coin_ev + * @param ... cipher-specific parameters * @return #GNUNET_OK on success */ enum GNUNET_GenericReturnValue @@ -1070,8 +1008,8 @@ TALER_denom_blind (const struct TALER_DenominationPublicKey *dk, * * @param[out] denom_sig where to write the signature * @param denom_priv private key to use for signing - * @param blinded_msg message to sign - * @param blinded_msg_size number of bytes in @a blinded_msg + * @param blinded_planchet the planchet already blinded + * @param ... If CS signature, a TALER_WithdrawNonce is needed * @return #GNUNET_OK on success */ enum GNUNET_GenericReturnValue @@ -1088,6 +1026,7 @@ TALER_denom_sign_blinded (struct TALER_BlindedDenominationSignature *denom_sig, * @param bdenom_sig the blinded signature * @param bks blinding secret to use * @param denom_pub public key used for signing + * @param ... cipher-specific parameters * @return #GNUNET_OK on success */ enum GNUNET_GenericReturnValue @@ -1125,7 +1064,7 @@ TALER_denom_pub_hash (const struct TALER_DenominationPublicKey *denom_pub, * @a denom_dst. * * @param[out] denom_dst target to copy to - * @param denom_str public key to copy + * @param denom_src public key to copy */ void TALER_denom_pub_deep_copy (struct TALER_DenominationPublicKey *denom_dst, @@ -1137,7 +1076,7 @@ TALER_denom_pub_deep_copy (struct TALER_DenominationPublicKey *denom_dst, * @a denom_dst. * * @param[out] denom_dst target to copy to - * @param denom_str public key to copy + * @param denom_src public key to copy */ void TALER_denom_sig_deep_copy (struct TALER_DenominationSignature *denom_dst, @@ -1149,7 +1088,7 @@ TALER_denom_sig_deep_copy (struct TALER_DenominationSignature *denom_dst, * @a denom_dst. * * @param[out] denom_dst target to copy to - * @param denom_str public key to copy + * @param denom_src public key to copy */ void TALER_blinded_denom_sig_deep_copy ( @@ -1466,6 +1405,7 @@ TALER_planchet_setup_random (struct TALER_PlanchetSecretsP *ps, * @param[out] c_hash set to the hash of the public key of the coin (needed later) * @param[out] pd set to the planchet detail for TALER_MERCHANT_tip_pickup() and * other withdraw operations + * @param ... cipher-specific parameters * @return #GNUNET_OK on success */ enum GNUNET_GenericReturnValue @@ -1485,6 +1425,7 @@ TALER_planchet_prepare (const struct TALER_DenominationPublicKey *dk, * @param ps secrets from #TALER_planchet_prepare() * @param c_hash hash of the coin's public key for verification of the signature * @param[out] coin set to the details of the fresh coin + * @param ... cipher-specific parameters * @return #GNUNET_OK on success */ enum GNUNET_GenericReturnValue diff --git a/src/util/crypto.c b/src/util/crypto.c index 03a438d25..1e5033a0c 100644 --- a/src/util/crypto.c +++ b/src/util/crypto.c @@ -247,7 +247,7 @@ TALER_blinding_secret_create (union TALER_DenominationBlindingKeyP *bs, /** * @brief setup a random planchet * In Case of RSA planchet, the bks gets set - * In Case of Schnorr this will be set in future + * In Case of Clause Schnorr this will be set in future */ void TALER_planchet_setup_random (struct TALER_PlanchetSecretsP *ps, @@ -307,11 +307,9 @@ TALER_planchet_prepare (const struct TALER_DenominationPublicKey *dk, { va_list ap; va_start (ap, pd); - struct TALER_WithdrawNonce *nonce; struct TALER_DenominationCsPublicR *r_pub; struct TALER_DenominationCsPublicR *blinded_r_pub; - nonce = va_arg (ap, struct TALER_WithdrawNonce *); r_pub = va_arg (ap, struct TALER_DenominationCsPublicR *); blinded_r_pub = va_arg (ap, struct TALER_DenominationCsPublicR *); @@ -322,7 +320,6 @@ TALER_planchet_prepare (const struct TALER_DenominationPublicKey *dk, &coin_pub, c_hash, &pd->blinded_planchet, - nonce, r_pub, blinded_r_pub)) { @@ -373,14 +370,14 @@ TALER_planchet_to_coin ( va_list ap; va_start (ap, coin); - struct TALER_DenominationCsPublicR *r_pub_dash; - r_pub_dash = va_arg (ap, struct TALER_DenominationCsPublicR *); + struct TALER_DenominationCsPublicR *r_pub_blind; + r_pub_blind = va_arg (ap, struct TALER_DenominationCsPublicR *); if (GNUNET_OK != TALER_denom_sig_unblind (&sig, blind_sig, &ps->blinding_key, dk, - r_pub_dash)) + r_pub_blind)) { GNUNET_break_op (0); va_end (ap); @@ -403,6 +400,7 @@ TALER_planchet_to_coin ( TALER_denom_sig_free (&sig); return GNUNET_SYSERR; } + coin->sig = sig; coin->coin_priv = ps->coin_priv; return GNUNET_OK; diff --git a/src/util/denom.c b/src/util/denom.c index ada2289ce..12b499aa0 100644 --- a/src/util/denom.c +++ b/src/util/denom.c @@ -81,25 +81,6 @@ TALER_denom_priv_create (struct TALER_DenominationPrivateKey *denom_priv, } -enum GNUNET_GenericReturnValue -TALER_denom_cs_derive_r_secret (const struct TALER_WithdrawNonce *nonce, - const struct - TALER_DenominationPrivateKey *denom_priv, - struct TALER_DenominationCsPrivateR *r) -{ - if (denom_priv->cipher != TALER_DENOMINATION_CS) - { - GNUNET_break (0); - return GNUNET_SYSERR; - } - - GNUNET_CRYPTO_cs_r_derive (&nonce->nonce, - &denom_priv->details.cs_private_key, - r->r); - return GNUNET_OK; -} - - enum GNUNET_GenericReturnValue TALER_denom_cs_derive_r_public (const struct TALER_WithdrawNonce *nonce, const struct @@ -216,26 +197,19 @@ TALER_denom_sig_unblind ( { va_list ap; va_start (ap, denom_pub); - struct TALER_DenominationCsPublicR *r_pub_dash; - r_pub_dash = va_arg (ap, struct TALER_DenominationCsPublicR *); + struct TALER_DenominationCsPublicR *r_pub_blind; + r_pub_blind = va_arg (ap, struct TALER_DenominationCsPublicR *); struct GNUNET_CRYPTO_CsBlindingSecret bs[2]; GNUNET_CRYPTO_cs_blinding_secrets_derive (&bks->nonce, bs); - struct GNUNET_CRYPTO_CsS s_scalar; - GNUNET_CRYPTO_cs_unblind (&bdenom_sig->details.blinded_cs_answer.s_scalar, &bs[bdenom_sig->details.blinded_cs_answer.b], - &s_scalar); - - // TODO: This seems to work, but is this a good idea? - // Not working: - // denom_sig->details.cs_signature.r_point = r_pub_dash->r_pub[bdenom_sig->details.blinded_cs_answer.b]; - GNUNET_memcpy (&denom_sig->details.cs_signature, &s_scalar, sizeof(struct - GNUNET_CRYPTO_CsS)); - GNUNET_memcpy (&denom_sig->details.cs_signature + sizeof(struct - GNUNET_CRYPTO_CsS), - &r_pub_dash->r_pub[bdenom_sig->details.blinded_cs_answer.b], + &denom_sig->details.cs_signature.s_scalar); + + GNUNET_memcpy (&denom_sig->details.cs_signature.r_point, + &r_pub_blind->r_pub[bdenom_sig->details.blinded_cs_answer.b + ], sizeof(struct GNUNET_CRYPTO_CsRPublic)); denom_sig->cipher = TALER_DENOMINATION_CS; @@ -362,16 +336,14 @@ TALER_denom_blind (const struct TALER_DenominationPublicKey *dk, { va_list ap; va_start (ap, blinded_planchet); - struct TALER_WithdrawNonce *nonce; struct TALER_DenominationCsPublicR *r_pub; struct TALER_DenominationCsPublicR *blinded_r_pub; - nonce = va_arg (ap, struct TALER_WithdrawNonce *); r_pub = va_arg (ap, struct TALER_DenominationCsPublicR *); blinded_r_pub = va_arg (ap, struct TALER_DenominationCsPublicR *); struct GNUNET_CRYPTO_CsBlindingSecret bs[2]; - GNUNET_CRYPTO_cs_blinding_secrets_derive (&nonce->nonce, bs); + GNUNET_CRYPTO_cs_blinding_secrets_derive (&coin_bks->nonce, bs); GNUNET_CRYPTO_cs_calc_blinded_c (bs, r_pub->r_pub, @@ -422,11 +394,12 @@ TALER_denom_pub_verify (const struct TALER_DenominationPublicKey *denom_pub, if (GNUNET_OK != GNUNET_CRYPTO_cs_verify (&denom_sig->details.cs_signature, &denom_pub->details.cs_public_key, - c_hash, - sizeof(*c_hash))) + &c_hash->hash, + sizeof(struct GNUNET_HashCode))) { GNUNET_log (GNUNET_ERROR_TYPE_WARNING, "Coin signature is invalid\n"); + // return GNUNET_YES; return GNUNET_NO; } return GNUNET_YES; diff --git a/src/util/test_crypto.c b/src/util/test_crypto.c index 64958cfc1..760ec0fa3 100644 --- a/src/util/test_crypto.c +++ b/src/util/test_crypto.c @@ -149,7 +149,6 @@ test_planchets_cs (void) struct TALER_WithdrawNonce nonce; struct TALER_DenominationCsPublicR r_pub; struct TALER_DenominationCsPublicR r_pub_blind; - struct TALER_DenominationCsPrivateR priv_r; struct TALER_BlindedDenominationSignature blind_sig; struct TALER_FreshCoin coin; @@ -174,30 +173,25 @@ test_planchets_cs (void) &ps, &c_hash, &pd, - &nonce, &r_pub, &r_pub_blind)); - // TODO: Remove r_secret if not needed - GNUNET_assert (GNUNET_OK == - TALER_denom_cs_derive_r_secret (&nonce, - &dk_priv, - &priv_r)); + GNUNET_assert (GNUNET_OK == TALER_denom_sign_blinded (&blind_sig, &dk_priv, &pd.blinded_planchet, &nonce)); - // GNUNET_assert (GNUNET_OK == - // TALER_planchet_to_coin (&dk_pub, - // &blind_sig, - // &ps, - // &c_hash, - // &coin, - // &r_pub_blind)); + GNUNET_assert (GNUNET_OK == + TALER_planchet_to_coin (&dk_pub, + &blind_sig, + &ps, + &c_hash, + &coin, + &r_pub_blind)); TALER_blinded_denom_sig_free (&blind_sig); - // TALER_denom_sig_free (&coin.sig); + TALER_denom_sig_free (&coin.sig); TALER_denom_priv_free (&dk_priv); TALER_denom_pub_free (&dk_pub); return 0; -- cgit v1.2.3